-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathec2_role_required_policies.py
More file actions
53 lines (43 loc) · 2.02 KB
/
ec2_role_required_policies.py
File metadata and controls
53 lines (43 loc) · 2.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
import boto3
import json
import os
config = boto3.client("config", region_name=os.environ["AWS_REGION"])
def handler(event, context):
print(json.dumps({"Message": "Received event", "event": event}))
ie = json.loads(event["invokingEvent"])
ci = ie["configurationItem"]
print(json.dumps({"Message": "Evaluating configuration item", "configurationItem": ci}))
# Evaluation template
evaluation = {
"ComplianceResourceType": ci["resourceType"],
"ComplianceResourceId": ci["resourceId"],
"OrderingTimestamp": ci["configurationItemCaptureTime"],
}
# Evaluate resource as NOT_APPLICABLE, NON_COMPLIANT, or COMPLIANT
if ci["resourceType"] != "AWS::IAM::Role":
evaluation["ComplianceType"] = "NOT_APPLICABLE"
elif ci["configurationItemStatus"] == "ResourceDeleted":
evaluation["ComplianceType"] = "NOT_APPLICABLE"
elif not ci["configuration"]["instanceProfileList"]:
evaluation["ComplianceType"] = "NOT_APPLICABLE"
evaluation["Annotation"] = "Role has no associated instance profiles"
else:
attached_policy_arns = [p["policyArn"] for p in ci["configuration"]["attachedManagedPolicies"]]
missing = []
for required in json.loads(event["ruleParameters"])["requiredAwsManagedPolicyArns"]:
if required not in attached_policy_arns:
missing.append(required)
if missing:
evaluation["ComplianceType"] = "NON_COMPLIANT"
evaluation["Annotation"] = f"Missing required attached policies: {missing}"
else:
evaluation["ComplianceType"] = "COMPLIANT"
print(json.dumps({"Message": "Submitting evaluation", "evaluation": evaluation}))
res = config.put_evaluations(
Evaluations=[evaluation],
ResultToken=event["resultToken"],
)
if res["FailedEvaluations"]:
raise Exception(f"ERROR - Failed evaluations: {res['FailedEvaluations']}")